Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timechart count for last status=up, each month

adamsmith47
Communicator
‎08-24-2018 01:00 PM

So, I've simplified my real problem down to this example with as few variables as possible. I wish I could simply alter the manor which the data is coming in, but, I can not, so I need a solution via SPL.

Here it goes:

Almost daily Splunk indexes a set of data that has two important fields, system_id and system_status. system_id is a unique identifier to each system, and system_status can have the values of "up" or "down". This data is indexed all at once, almost daily. And example of events would look like this:

One day:
08/24/2018T01:00:00 5671 up
08/24/2018T01:00:00 5672 up
08/24/2018T01:00:00 5673 down
08/24/2018T01:00:00 5674 up
08/24/2018T01:00:00 5675 up
08/24/2018T01:00:00 5676 down
08/24/2018T01:00:00 5677 up

The next day:
08/25/2018T01:00:00 5671 up
08/25/2018T01:00:00 5672 up
08/25/2018T01:00:00 5673 up
08/25/2018T01:00:00 5674 up
08/25/2018T01:00:00 5675 up
08/25/2018T01:00:00 5676 down
08/25/2018T01:00:00 5677 up

My goal: a timechart which shows the count of the number of systems "up" for the last data indexed each month. If it helps, each system_id is guaranteed to be in each set of indexed data.

This seems deceptively difficult. Many thanks to any help!

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-24-2018 01:38 PM

Try this.. It will extract the up or down value, then use conditional logic to give it a 1 or 0 then do a timechart with 1 minute spans

| rex \d+\s(?<up_or_down>\w+)
| eval state=if(up_or_down="up",1,0)
| timechart span=1m max(state) AS state
0 Karma
Reply

adamsmith47
Communicator
‎08-27-2018 09:29 AM

Thanks for the response, I should clarify my desired goal.

I'd like a timechart (coverage of 12 months, but span=1 month) which displays only 1 value per month. And that value is the number of "up" systems seen in the last data indexing for the month.

Your response did lead me to a solution which works, however, doing two timecharts in a row seems sloppy, any suggestions for a more elegant solution?

... my search
| eval state=if(system_status="up", 1, 0)
| timechart span=d@d sum(state) AS state
| timechart span=mon@mon last(state) AS state

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-27-2018 09:34 AM

You could replace the first timechart with an eventstats or simply leave it the way you got it if its fast. Please upvote/accept if this helped

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...